You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Mike <mc...@gmail.com> on 2009/02/24 09:46:07 UTC
Re: WSS4J 1.5.5 - Broken decryption when providing certificate
(setUseThisCert)
Hi All
I recently upgraded to Wss4j 1.5.5 and I've started having an issue
when encrypting my messages using a provided X509Certificate and
invoking setUseThisCert instead of setUserInfo(alias).
I get the following stack trace:
Exception in thread "main" org.apache.ws.security.WSSecurityException:
General security error (WSSecurityEngine: Callback supplied no
password for: null)
[java] at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:290)
[java] at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:92)
[java] at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:80)
[java] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
[java] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
[java] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:196)
[java] at Encrypt.verifyAndDecrypt(Encrypt.java:233)
[java] at Encrypt.encrypt(Encrypt.java:183)
[java] at Encrypt.<init>(Encrypt.java:119)
[java] at Encrypt.main(Encrypt.java:102)
I've attached a small test case (java 1.5 or higher), this same code
works in WSS4j 1.5.4.
Please adjust the Libs directory in the build.xml file and check the
respective jar availability (verify versions)
For 1.5.5 test run:
ant Encrypt.1.5.5
For 1.5.4 test run:
ant Encrypt.1.5.4
To rebuild:
ant clean
ant build-project
Is it a bug or an implementation issue?
Thanks,
Mike
On Tue, Feb 24, 2009 at 9:52 AM, Mike <mc...@gmail.com> wrote:
> Hi Again!
>
> I found the error in my ways, and its an interesting problem:
>
> I've been creating an X509Certificate from a base64 encoded String
> which I have been using for the encryption part of the security pass.
> But when it comes to the decryption pass, the SecurityEngine cannot
> locate the alias, I assume because I don't provide an alias when
> encrypting but only provide the X509Cert (useThisCert method).
>
> How would I be able to work around this problem? As providing a public
> key for encryption is more convenient than putting a cert in a
> keystore and referencing it by an alias.
>
> Thank you,
>
> Mike
>
> On Tue, Feb 24, 2009 at 9:41 AM, Mike <mc...@gmail.com> wrote:
>> Hi Colm
>>
>> Thanks for your assistance, it appears to be something in my
>> implementation because since I've put a test case together for you the
>> test case has been working...
>>
>> Its bizarre because its practically the same code that I use in the
>> system, but in a sandbox it works perfectly...
>>
>> I'll have to dig down to the bottom of it all!
>>
>> Thanks again,
>>
>> Mike
>>
>> On Mon, Feb 23, 2009 at 7:36 PM, Colm O hEigeartaigh
>> <co...@progress.com> wrote:
>>> This is the problem I think:
>>>
>>>
>>>
>>> encrypt.prepare(doc, crypto);
>>>
>>>
>>>
>>> encrypt.prependToHeader(secHeader);
>>>
>>> doc = encrypt.build(doc, crypto, secHeader);
>>>
>>>
>>>
>>> I noticed that there were two EncryptedKey elements in the security header
>>> with the same Id, which looked odd ;-)
>>>
>>> All you need here is:
>>>
>>>
>>>
>>> doc = encrypt.build(doc, crypto, secHeader);
>>>
>>>
>>>
>>> Colm.
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
>>> Sent: 23 February 2009 17:09
>>> To: Mike; wss4j-dev@ws.apache.org
>>> Subject: RE: WSS4J 1.5.5 - Broken decryption
>>>
>>>
>>>
>>> Hi Mike,
>>>
>>>
>>>
>>> Can you give me a simpler example to work with? The request has both
>>> signature and encryption in it, as well as multiple EncryptedKey elements.
>>> Can you also add the code you�re using to process the request?
>>>
>>> Ideally, could you create a test-case for it?
>>>
>>>
>>>
>>> Colm.
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: Mike [mailto:mcanix@gmail.com]
>>> Sent: 11 February 2009 11:58
>>> To: wss4j-dev@ws.apache.org
>>> Subject: WSS4J 1.5.5 - Broken decryption
>>>
>>>
>>>
>>> Hi All
>>>
>>> I recently upgraded to Wss4J 1.5.5 from 1.5.4 (and xml-sec 1.4.2 from
>>> 1.4.0), after a spelling fix (what is an identifir anyway?! :P) in my
>>> callback handler I tried to run my system (which is a B2B messaging server
>>> using ebXML) but it failed to work on the receiving end.
>>>
>>> I receive a stack trace and the identifier in the callback handle method is
>>> null?!?
>>>
>>> I'm not exactly sure what is going on, I did some digging and found that the
>>> alias was unassigned just before the callback occurred. I have also noted
>>> that I supply a null actor to the 'processSecurityHeader' method since I
>>> don't have access to it at the time. Is the actor fundamental to decryption?
>>>
>>> The same code worked perfectly on WSS4j 1.5.4.
>>>
>>> Versions:
>>>
>>> Wss4j 1.5.5
>>>
>>> xml-sec 1.4.2
>>>
>>> BouncyCastle JDK15-141
>>>
>>> Java 1.5.0_16
>>>
>>> Axis 1.4 1855 April 22 2006
>>>
>>> Metro 1.4
>>>
>>> Thanks,
>>>
>>> Mike
>>>
>>> Stack Trace:
>>>
>>> Caused by: org.apache.ws.security.WSSecurityException: General security
>>> error (WSSecurityEngine: Callback supplied no password for: null)
>>>
>>> �at
>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:290)
>>> �at
>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:92)
>>> �at
>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:80)
>>> �at
>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>>> �at
>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>>> �at
>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:196)
>>>
>>>
>>>
>>> Encryption Code:
>>>
>>> ��Utils.trace(this.getClass(), "WSS Encrypting SOAP Envelope");
>>>
>>> � WSSecEncrypt encrypt = new WSSecEncrypt();
>>> � encrypt.setEncCanonicalization(encCanonAlgo);
>>> � encrypt.setKeyEncAlgo(encKeyAlgo);
>>> � encrypt.setSymmetricEncAlgorithm(encSymAlgo);
>>>
>>> � if (encCert != null) {
>>> � � Utils.trace(this.getClass(), "Encrypting with Configuration provided
>>> Certificate");
>>> � � encrypt.setUseThisCert(encCert);
>>> � } else {
>>> � � Utils.trace(this.getClass(), "Encrypting with Keystore provided
>>> Certificate");
>>> � � encrypt.setUserInfo(encryptAlias);
>>> � }
>>>
>>> � if (!signalMessage) {
>>> � � encrypt.setParts(getEncryptionParts(pMode, event));
>>> � } else {
>>> � � encrypt.setParts(getSignalParts());
>>> � }
>>>
>>> � encrypt.prepare(doc, crypto);
>>>
>>> � encrypt.prependToHeader(secHeader);
>>>
>>> � doc = encrypt.build(doc, crypto, secHeader);
>>>
>>>
>>> � Utils.trace(this.getClass(), "WSS Encrypted SOAP Envelope");
>>>
>>>
>>
>
RE: WSS4J 1.5.5 - Broken decryption when providing certificate (setUseThisCert)
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi Mike,
The problem is that you're using BouncyCastle as the provider of the CertificateFactory:
CertificateFactory cf = CertificateFactory.getInstance("X509", "BC");
The X509Certificate object then has a DN with the components reversed, compared to Sun's X509Certificate implementation, and this is causing the problems on the processing side. You need to use the same provider at both ends, so just doing:
CertificateFactory cf = CertificateFactory.getInstance("X509");
should work, assuming you have the relevant Sun providers installed. This problem was introduced by the fix for WSS-86, which was in turn introduced to fix a similar problem.
Let me know if this workaround works for you. I'll have to have a think about the best way to fix this on trunk.
Colm.
-----Original Message-----
From: Mike [mailto:mcanix@gmail.com]
Sent: 24 February 2009 08:46
To: wss4j-dev@ws.apache.org
Subject: Re: WSS4J 1.5.5 - Broken decryption when providing certificate (setUseThisCert)
Hi All
I recently upgraded to Wss4j 1.5.5 and I've started having an issue
when encrypting my messages using a provided X509Certificate and
invoking setUseThisCert instead of setUserInfo(alias).
I get the following stack trace:
Exception in thread "main" org.apache.ws.security.WSSecurityException:
General security error (WSSecurityEngine: Callback supplied no
password for: null)
[java] at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:290)
[java] at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:92)
[java] at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:80)
[java] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
[java] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
[java] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:196)
[java] at Encrypt.verifyAndDecrypt(Encrypt.java:233)
[java] at Encrypt.encrypt(Encrypt.java:183)
[java] at Encrypt.<init>(Encrypt.java:119)
[java] at Encrypt.main(Encrypt.java:102)
I've attached a small test case (java 1.5 or higher), this same code
works in WSS4j 1.5.4.
Please adjust the Libs directory in the build.xml file and check the
respective jar availability (verify versions)
For 1.5.5 test run:
ant Encrypt.1.5.5
For 1.5.4 test run:
ant Encrypt.1.5.4
To rebuild:
ant clean
ant build-project
Is it a bug or an implementation issue?
Thanks,
Mike
On Tue, Feb 24, 2009 at 9:52 AM, Mike <mc...@gmail.com> wrote:
> Hi Again!
>
> I found the error in my ways, and its an interesting problem:
>
> I've been creating an X509Certificate from a base64 encoded String
> which I have been using for the encryption part of the security pass.
> But when it comes to the decryption pass, the SecurityEngine cannot
> locate the alias, I assume because I don't provide an alias when
> encrypting but only provide the X509Cert (useThisCert method).
>
> How would I be able to work around this problem? As providing a public
> key for encryption is more convenient than putting a cert in a
> keystore and referencing it by an alias.
>
> Thank you,
>
> Mike
>
> On Tue, Feb 24, 2009 at 9:41 AM, Mike <mc...@gmail.com> wrote:
>> Hi Colm
>>
>> Thanks for your assistance, it appears to be something in my
>> implementation because since I've put a test case together for you the
>> test case has been working...
>>
>> Its bizarre because its practically the same code that I use in the
>> system, but in a sandbox it works perfectly...
>>
>> I'll have to dig down to the bottom of it all!
>>
>> Thanks again,
>>
>> Mike
>>
>> On Mon, Feb 23, 2009 at 7:36 PM, Colm O hEigeartaigh
>> <co...@progress.com> wrote:
>>> This is the problem I think:
>>>
>>>
>>>
>>> encrypt.prepare(doc, crypto);
>>>
>>>
>>>
>>> encrypt.prependToHeader(secHeader);
>>>
>>> doc = encrypt.build(doc, crypto, secHeader);
>>>
>>>
>>>
>>> I noticed that there were two EncryptedKey elements in the security header
>>> with the same Id, which looked odd ;-)
>>>
>>> All you need here is:
>>>
>>>
>>>
>>> doc = encrypt.build(doc, crypto, secHeader);
>>>
>>>
>>>
>>> Colm.
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
>>> Sent: 23 February 2009 17:09
>>> To: Mike; wss4j-dev@ws.apache.org
>>> Subject: RE: WSS4J 1.5.5 - Broken decryption
>>>
>>>
>>>
>>> Hi Mike,
>>>
>>>
>>>
>>> Can you give me a simpler example to work with? The request has both
>>> signature and encryption in it, as well as multiple EncryptedKey elements.
>>> Can you also add the code you're using to process the request?
>>>
>>> Ideally, could you create a test-case for it?
>>>
>>>
>>>
>>> Colm.
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: Mike [mailto:mcanix@gmail.com]
>>> Sent: 11 February 2009 11:58
>>> To: wss4j-dev@ws.apache.org
>>> Subject: WSS4J 1.5.5 - Broken decryption
>>>
>>>
>>>
>>> Hi All
>>>
>>> I recently upgraded to Wss4J 1.5.5 from 1.5.4 (and xml-sec 1.4.2 from
>>> 1.4.0), after a spelling fix (what is an identifir anyway?! :P) in my
>>> callback handler I tried to run my system (which is a B2B messaging server
>>> using ebXML) but it failed to work on the receiving end.
>>>
>>> I receive a stack trace and the identifier in the callback handle method is
>>> null?!?
>>>
>>> I'm not exactly sure what is going on, I did some digging and found that the
>>> alias was unassigned just before the callback occurred. I have also noted
>>> that I supply a null actor to the 'processSecurityHeader' method since I
>>> don't have access to it at the time. Is the actor fundamental to decryption?
>>>
>>> The same code worked perfectly on WSS4j 1.5.4.
>>>
>>> Versions:
>>>
>>> Wss4j 1.5.5
>>>
>>> xml-sec 1.4.2
>>>
>>> BouncyCastle JDK15-141
>>>
>>> Java 1.5.0_16
>>>
>>> Axis 1.4 1855 April 22 2006
>>>
>>> Metro 1.4
>>>
>>> Thanks,
>>>
>>> Mike
>>>
>>> Stack Trace:
>>>
>>> Caused by: org.apache.ws.security.WSSecurityException: General security
>>> error (WSSecurityEngine: Callback supplied no password for: null)
>>>
>>> at
>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:290)
>>> at
>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:92)
>>> at
>>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:80)
>>> at
>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>>> at
>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>>> at
>>> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:196)
>>>
>>>
>>>
>>> Encryption Code:
>>>
>>> Utils.trace(this.getClass(), "WSS Encrypting SOAP Envelope");
>>>
>>> WSSecEncrypt encrypt = new WSSecEncrypt();
>>> encrypt.setEncCanonicalization(encCanonAlgo);
>>> encrypt.setKeyEncAlgo(encKeyAlgo);
>>> encrypt.setSymmetricEncAlgorithm(encSymAlgo);
>>>
>>> if (encCert != null) {
>>> Utils.trace(this.getClass(), "Encrypting with Configuration provided
>>> Certificate");
>>> encrypt.setUseThisCert(encCert);
>>> } else {
>>> Utils.trace(this.getClass(), "Encrypting with Keystore provided
>>> Certificate");
>>> encrypt.setUserInfo(encryptAlias);
>>> }
>>>
>>> if (!signalMessage) {
>>> encrypt.setParts(getEncryptionParts(pMode, event));
>>> } else {
>>> encrypt.setParts(getSignalParts());
>>> }
>>>
>>> encrypt.prepare(doc, crypto);
>>>
>>> encrypt.prependToHeader(secHeader);
>>>
>>> doc = encrypt.build(doc, crypto, secHeader);
>>>
>>>
>>> Utils.trace(this.getClass(), "WSS Encrypted SOAP Envelope");
>>>
>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org